[Samba] help with AD integration

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Sep 30 08:45:13 MDT 2010

Then it sounds like you need the AD integration.  If the user's also 
login to the linux workstation directly  (or via ssh) then you will need 
to configure winbind and nsswitch to support unix logins.

Why does nsswitch.conf include ldap?  Is this the only linux/unix 
machine?  Are local users in ldap or /etc/passwd?

What version of samba?   What version of linux?

Ideally "getent passwd" woudl show something like

ben:*:10001:10001:Ben George:/export/Home/SRE/ben/:bin/tcsh


SRE+ben:*:10001:10001:Ben George:/export/Home/SRE/ben:/bin/bash

I don't think you need a huge amount of AD experience to make this work 
but I think you have to have general understanding of what WIndows 
domains are about.

You should also review the smb.conf man page for the section on idmap_ad.

On 09/30/2010 09:24 AM, Ben George wrote:
> Thanks for your replay..
> yes my client told me like this that's Y..and the manager gave that 
> work to newly joined me.. :(
> i don't have any AD and core unix experience..i have only experience 
> in linux.not much
> may this project will affect my job..  :(
> my nsswitch.conf
> */passwd:     files ldap winbind
> group:      files ldap winbind
> hosts:      dns files
> ipnodes:    dns files/*
> "*nsswitch+winbind (which I do) or the smb pam module*"..? :(
>  i don't know..my client's need is he has a linux machine..also a 
> ADS..from the unix machine, he want to share secure folder's to the AD 
> user's..so eash user can only access that particular shared 
> folder..when the password of user changed in AD, that will affect to 
> the smbpassword...means without changing that particular user's smb 
> password in the unix machine..
> for this need which method is useful..from your experience
> "*Does "getent passwd" show the windows users?*"
> please check the output ..i think getent password only shows unix 
> system password
> */bash-3.00# getent passwd
> root:x:0:0:Super-User:/:/sbin/sh
> daemon:x:1:1::/:
> bin:x:2:2::/usr/bin:
> sys:x:3:3::/:
> adm:x:4:4:Admin:/var/adm:
> lp:x:71:8:Line Printer Admin:/usr/spool/lp:
> uucp:x:5:5:uucp Admin:/usr/lib/uucp:
> nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
> smmsp:x:25:25:SendMail Message Submission Program:/:
> listen:x:37:4:Network Admin:/usr/net/nls:
> gdm:x:50:50:GDM Reserved UID:/:
> webservd:x:80:80:WebServer Reserved UID:/:
> postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
> svctag:x:95:12:Service Tag UID:/:
> nobody:x:60001:60001:NFS Anonymous Access User:/:
> noaccess:x:60002:60002:No Access User:/:
> nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
> ramana:x:100:1::/export/home/ramana:/bin/sh
> teju:x:101:1::/export/home/teju:/bin/sh
> user1:x:102:1::/export/home/user1:/bin/sh
> ben:x:103:1::/home/ben:/bin/sh/*
> "you already have a "unix" ben and a "ADS" ben defined?"
> Yes i defined the ben user in Unix and ADS...bcoz i don't have much 
> knowledge about that sorry
> Hope u will help me
> Thanks
> Ben.T.George
> On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal 
> <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>> wrote:
>     disclaimer: I don't use Samba as an ADS member server.  I use
>     samba as PDC with trusts to an ADS domain.  So my observations may
>     not be valuid.
>     Did you try updating nsswitch.conf
>        passwd:     files winbind
>        group:    files winbind
>     If you are using a Windows domain and have a user defined in the
>     domain, you generally don't want to add the user as a local user.
>       Since the underlying unix OS needs to know about the domain
>     users you need to either use nsswitch+winbind (which I do) or the
>     smb pam module (which I don't use, and not sure if it really is
>     the correct approach.)
>     If you use nsswitch.conf+winbind you can then also OPTIONALLY
>     allow "windows" users "unix" access like ssh.    My samba server
>     is a PDC-  I have a domain trust with windows domains BUT  the
>     default shell is "/bin/false."    (It is still a little flaky...)
>     Does "getent passwd" show the windows users?   It should show
>     something like
>     ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>     or
>     SRE+ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>     It looks like = you already have a "unix" ben and a "ADS" ben defined?
>     "wbinfo -s" and "wbinfo -n" are also useful for making sure that
>     the name-to-sid and sid-to-name mappings are correct for domain users.

More information about the samba mailing list